Cooks in Clinton crypto kitchen

Deciphering the Clinton administration's people and policy on encryption is about as tough as understanding the technology itself.

Since January, no fewer than five high-ranking White House officials have laid out policy on the controversial issue, sometimes contradicting each other. Most recently, FBI director Louis Freeh sparked controversy last week when he testified before a Senate subcommittee that in order to do its job in the digital age, law enforcement needed the ability to immediately decode all encrypted messages, including communications within the United States, flowing over public networks.

Current regulations, supported by the administration, call for export controls on encryption products. Companies cannot export strong encryption--with encoding keys longer than 56 bits--unless they make it possible for law enforcement agencies with a court order to crack the codes through a process called "key recovery."

The fact that Freeh's comments alluded to similar controls on domestic encryption products raised an outcry from civil libertarians and industry representatives. The White House quickly backed away from Freeh's proposal, saying the FBI director was speaking as a law enforcement official, not as a spokesman for the White House. The Clinton administration has never supported mandatory controls on the domestic use of encryption, a White House spokeswoman said.

In addition to Freeh, Vice President Al Gore, Commerce Department undersecretary William Reinsch, senior Clinton adviser Ira Magaziner, and Clinton "crypto czar" David Aaron have all spoken publicly about encryption policy, leading to some confusion about who calls the shots on the issue.

In reality, some of those pontificating the loudest have little formal role in devising the administration's encryption policy, while some officials behind the scenes wield more influence than one might think.

As with most complex issues in Washington, the White House takes a bureaucratic approach to setting policy on encryption and has created a "deputies group" to represent various crypto constituencies. The list varies depending on who one asks, but it is sure to include Gore, his domestic policy adviser Don Gipps, Reinsch, Sally Katzen, administrator of information and technology with the Office of Management and Budget, and National Security Agency deputy director William Crowell.

Crypto cooks in the Clinton kitchen

Al Gore, U.S. vice president Has last word on Clinton's crypto policy, coined term "information superhighway."

William Reinsch, Commerce undersecretary Faithfully totes White House stance on encryption by favoring export controls while shunning its domestic regulation.

Louis Freeh, FBI director Administration's bad boy on crypto policy by on at least two occasions calling for mandatory controls on domestic encryption. White House says he speaks for law enforcement.

Ira Magaziner, White House senior adviser Clinton's point man on all things digital, including e-commerce and the Internet. Has minimal influence on crypto decisions and policy but has wonked philosophically on its importance in the networked world.

David Aaron, Commerce "crypto czar" Despite the catchy title, his role has been that of an ambassador, encouraging other countries to adopt crypto policies in sync with the White House's. Was recently kicked upstairs to a role that will likely remove him completely from crypto policymaking.

William Crowell, NSA deputy director Like Freeh, he testifies regularly that crypto controls are crucial but remains faithful to stated Clinton policy. Will retire this week.

Others also get seats on the committee, including representatives from the Treasury, Defense, and Justice departments. Both Attorney General Janet Reno and Freeh also attend regularly.

While Aaron may be called the crypto czar, his formal role has been to convince other countries to adopt encryption policies that are in sync with the Clinton administration's stance. Last week, President Clinton named him undersecretary for international trade at the Commerce Department, a position that will steer Aaron even further away from setting encryption policy.

And Magaziner, while an adviser to Clinton on electronic commerce and Internet-related issues, tends to express the administration's stance on encryption more than he forges it.

Magaziner has drafted several policy papers on electronic commerce for the White House, essentially taking the position that the government should apply a hands-off policy to Internet issues. One example of this approach was his recommendation that there be no new taxes on Internet commerce.

By contrast, the very "hands-on" approach the Clinton administration takes with respect to the export of encryption products has led critics to charge the White House is inconsistent in forming policy covering the digital era.

These criticisms are further fueled by Freeh's calls--twice since May--for mandatory "back doors" in encryption products, as well as Clinton's recent support of an encryption bill now before the Senate that critics charge essentially is a more subtle version of the same policy.

The Secure Public Networks Act would provide strong incentives for companies to install so-called "key recovery" features into their encryption products. The features would allow government officials with a court order to immediately decrypt coded messages.

"This is a moving target," said Lauren Hall, chief technologist for the Software Publishers Association. "We have always suspected that the Clinton administration was using the export control discussion as a billy club to bring about the restriction on the domestic use of encryption."

Rights advocates from the Electronic Privacy Information Center say the administration's goal all along has been to bring about mandatory key recovery. They point to an April 1993 document jointly written by members of the FBI, Justice Department, and National Security Agency that called for requiring all encryption products in the United States to have "real-time decryption" capabilities built in.

The White House flatly denies any inconsistency in its policy. "Our position has been, and remains clear, that we do not support domestic controls on encryption," said Heidi Kukis, a spokeswoman for the vice president's office. "What the administration has tried to do and what we have continued to do is work toward a balance between promotion of electronic commerce and protection of our national security."

The administration argues that Freeh's recent testimony and a related legislative proposal that was written with the help of the Office of Management and Budget do not signal inconsistencies either.

"The FBI, going back to J. Edgar Hoover, has a long history of telling Congress what it needs to fight crime," said the Commerce Department's Reinsch, who added that the White House remains opposed to mandatory key recovery. "We don't lack consistency; we lack agreement with [critics'] point of view."

The Office of Management and Budget added that providing assistance in drafting bills is routine and not an indication that the administration supports the bill. "We would reserve the right to make a final judgment if it came back to us in final form," spokesman Lawrence Haas said.

What's really going on, according to Stewart Baker, former general counsel with the National Security Agency, is that the Clinton administration doesn't want another black eye from supporting an unpopular encryption stance.

"There was a lot of talk within the administration about [the proposed legislation], and there was agreement that [it] would be acceptable," said Baker, an attorney with Steptoe & Johnson. "It's more than a trial balloon and less than [first astronaut] John Glenn...like when they sent up the monkey into space."

For critics, the administration's distinctions between mandatory and voluntary key recovery don't carry much substance. They point to the Secure Public Networks Act as an example.

"Under [the bill], use of key recovery would be a condition for participating in the information society," said Jonah Seiger, a spokesman for the Center for Democracy and Technology.

The bill, sponsored by Sens. John McCain (R-Arizona) and Bob Kerrey (D-Nebraska), would require all computer systems supported by government funds to deploy key recovery. It would also set up an elaborate framework for so-called "certificate authority" systems, which will become necessary to validate a person's online identity if electronic commerce is to ever take hold.

The McCain-Kerrey bill would provide tempting incentives for certificate authorities to be endorsed by the government, but would also require them to comply with a key recovery scheme, placing the authorities who don't subscribe to the back-door system at a severe disadvantage.

"They say it's voluntary, but it's mandatory voluntary," Seiger added. "You'd be left with no choice but to use key recovery under McCain-Kerrey."